Gogs: LFS dedupe path leaks private repo content across tenants

Summary Git LFS storage is content-addressed by OID alone /// but per-repo authorization lives in the lfsobject table keyed repoid, oid. serveUpload skips re-uploading when the OID file already exists on disk and inserts a new repoid, oid row pointing at it without verifying the request body hash...

GHSA-89MR-XQFV-758M Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym

Summary Repository.UploadRepoFiles checks for symlinks only on the leaf of the upload target osx.IsSymlinktargetPath. The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-wri...

Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym

Summary Repository.UploadRepoFiles checks for symlinks only on the leaf of the upload target osx.IsSymlinktargetPath. The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-wri...

Gogs allows users to write to readonly repositories using receive-pack + service=git-upload-pack confusion

Summary Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string so ?service=git-upload-pack is evaluated as read access while routing still runs git receive-pack, allowing push where only read should be allowed. Details Gogs' Git Smart HTTP handler for...

GHSA-WMFG-5P4H-5FW3 Gogs allows users to write to readonly repositories using receive-pack + service=git-upload-pack confusion

Summary Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string so ?service=git-upload-pack is evaluated as read access while routing still runs git receive-pack, allowing push where only read should be allowed. Details Gogs' Git Smart HTTP handler for...

GHSA-5C3F-6486-3G7G Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES

Summary Password-reset tokens are generated using conf.Auth.ActivateCodeLives the account-activation lifetime, not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making...

Gogs's password-reset tokens use account-activation lifetime, ignoring RESET_PASSWORD_CODE_LIVES

Summary Password-reset tokens are generated using conf.Auth.ActivateCodeLives the account-activation lifetime, not conf.Auth.ResetPasswordCodeLives. The token lifetime is baked into the token itself at generation time and is re-extracted from the token at verification time, making...

GHSA-268J-37XF-PP52 Gogs's write-level collaborators can mutate admin-only repository settings via API

Summary Three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter rather than reqRepoAdmin. The equivalent operations in the web UI sit behind reqRepoAdmin, which requir...

Gogs's write-level collaborators can mutate admin-only repository settings via API

Summary Three API endpoints — PATCH /api/v1/repos/:owner/:repo/issue-tracker, PATCH /api/v1/repos/:owner/:repo/wiki, and POST /api/v1/repos/:owner/:repo/mirror-sync — are gated by reqRepoWriter rather than reqRepoAdmin. The equivalent operations in the web UI sit behind reqRepoAdmin, which requir...

GHSA-VCM5-GVMP-78MP Gogs has DOM-based XSS via Milestone Name on New Issue Page

Summary The fix for GHSA-vgjm-2cpf-4g7c DOM-based XSS via milestone selection was only applied to templates/repo/issue/viewcontent.tmpl but not to templates/repo/issue/newform.tmpl. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page an...

Gogs has DOM-based XSS via Milestone Name on New Issue Page

Summary The fix for GHSA-vgjm-2cpf-4g7c DOM-based XSS via milestone selection was only applied to templates/repo/issue/viewcontent.tmpl but not to templates/repo/issue/newform.tmpl. An attacker can store an HTML/JavaScript payload in a milestone name, and when any user opens the New Issue page an...

GHSA-QF6P-P7WW-CWR9 Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge

Gogs: RCE via git rebase --exec Argument Injection in PR Merge Summary Gogs allows authenticated users to achieve Remote Code Execution RCE on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase...

Gogs vulnerable to RCE via git rebase --exec argument injection in pull request merge

Gogs: RCE via git rebase --exec Argument Injection in PR Merge Summary Gogs allows authenticated users to achieve Remote Code Execution RCE on the server by creating a pull request with a specially crafted branch name that injects the --exec flag into the git rebase command during the "Rebase...

GHSA-G2F5-GJR4-QJVM Gogs has a Migration Redirect Bypass that Leads to Internal Repository Theft

Migration URL validation bypass via HTTP redirect to blocked internal endpoints Summary A Server-Side Request Forgery SSRF vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but git clone --mirror follows HTTP...

Gogs has a Migration Redirect Bypass that Leads to Internal Repository Theft

Migration URL validation bypass via HTTP redirect to blocked internal endpoints Summary A Server-Side Request Forgery SSRF vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but git clone --mirror follows HTTP...

GHSA-4565-R4X7-HG8J Gogs Vulnerable to Privilege Escalation via Collaboration Access Mode Validation

Summary A repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. Vulnerable Code In internal/database/repocollaboration.go, line 129: go func r Repository ChangeCollaborationAccessModeuserI...

Gogs Vulnerable to Privilege Escalation via Collaboration Access Mode Validation

Summary A repository admin collaborator can escalate their privileges to owner-level access by exploiting an off-by-one error in the ChangeCollaborationAccessMode function. Vulnerable Code In internal/database/repocollaboration.go, line 129: go func r Repository ChangeCollaborationAccessModeuserI...

GHSA-XXHQ-69MF-W8CR Gogs has an Open Redirect via redirect_to

Summary An open redirect vulnerability exists in Gogs where attacker-controlled redirectto parameters can bypass validation, allowing redirection to arbitrary external sites. Details All redirects in Gogs that are validated via the IsSameSite function are vulnerable: go func IsSameSiteurl string...

Gogs has an Open Redirect via redirect_to

Summary An open redirect vulnerability exists in Gogs where attacker-controlled redirectto parameters can bypass validation, allowing redirection to arbitrary external sites. Details All redirects in Gogs that are validated via the IsSameSite function are vulnerable: go func IsSameSiteurl string...

CVE-2026-56696

OpenHarness /issue and /prcomments slash commands lack remoteinvocable=False protection, allowing remote channel senders to write attacker-controlled Markdown into project context files. Admitted remote attackers can inject malicious content into .openharness/issue.md and .openharness/prcomments....